[ossec-list] Re: Rule on server only for specific agents

2017-06-06 Thread Tom Lobato 
Tks, Victor.
I ended up doing something like it:

host1|host2|host3

but using the hostname from /etc/hostname of the servers running the agent.

Cheers,
Tom

On Friday, June 2, 2017 at 3:43:23 PM UTC, Victor Fernandez wrote:
>
> Hi Tom,
>
> there is a rule option, , that should work for you.
>
> Alerts start this way:
>
> ** Alert 1488922301.778562: mail  - ossec,syscheck,pci_dss_11.5,
> 2017 Mar 07 13:31:41 (myagent) 192.168.66.1->syscheck
>
>  
> The text in red is the agent hostname, it has form "(name) IP". Another 
> instance may be "(myagent) any", when the agent was registered using 
> IP="any".
>
> So if you want to create a rule that only applies to an agent called 
> "myagent" you may use a rule such this one:
>
> <*rule* id="11" level="3">
>
> <*hostname*>^(myagent)
>
> 
>
>
> Hope it help.
>
> Best regards,
> Victor.
>
> On Friday, June 2, 2017 at 4:40:29 PM UTC+2, Tom Lobato wrote:
>>
>> Is it possible specify in which agents you want certain rule enabled?
>>
>

-- 

--- 
You received this message because you are subscribed to the Google Groups 
"ossec-list" group.
To unsubscribe from this group and stop receiving emails from it, send an email 
to ossec-list+unsubscr...@googlegroups.com.
For more options, visit https://groups.google.com/d/optout.

Re: [ossec-list] Disconnect issue

2017-06-06 Thread Jose Luis Ruiz 
Hi Prakash

Try set to 0 (now you should have 1) the option *remoted.verify_msg_id* in
/var/ossec/etc/internal_options.conf in the manager and agent and restart
both.

*remoted.verify_msg_id=0*

i hope it helps.

Regards
---
Jose Luis Ruiz
Wazuh Inc.
j...@wazuh.com

On June 6, 2017 at 6:25:19 PM, prakash ranjan (prakashranjan2...@gmail.com)
wrote:

Hi,

Please help.

I am getting following error:-

2017/06/06 11:20:29 ossec-remoted(1407): ERROR: Duplicated counter for '
notify1-nightly.networkfleet.com'.

2017/06/06 11:20:35 ossec-remoted(1407): ERROR: Duplicated counter for '
notify1-nightly.networkfleet.com’.


I have followed steps provided under heading "
Fixing Duplicate Errors
” on page -
https://ossec.github.io/docs/faq/unexpected.html.
But didn’t fixed issue.

*Details about environment:-*

*OS = OEL Linux 6.8*

*/var/ossec/bin/ossec-analysisd -V*



OSSEC HIDS v2.8 - Trend Micro Inc.


*cat /etc/ossec-init.conf*


DIRECTORY="/var/ossec/"

VERSION="v2.8"

DATE="Tue Jan 26 08:34:27 PST 2016"

TYPE=“server"


*cat /var/ossec/etc/ossec.conf* (Removed ip addresses)




  

yes



localhost



25

  


  

xx.xx.xx.xx

  


  

rules_config.xml

pam_rules.xml

sshd_rules.xml

telnetd_rules.xml

syslog_rules.xml

arpwatch_rules.xml

symantec-av_rules.xml

symantec-ws_rules.xml

pix_rules.xml

named_rules.xml

smbd_rules.xml

vsftpd_rules.xml

pure-ftpd_rules.xml

proftpd_rules.xml

ms_ftpd_rules.xml

ftpd_rules.xml

hordeimp_rules.xml

roundcube_rules.xml

wordpress_rules.xml

cimserver_rules.xml

vpopmail_rules.xml

vmpop3d_rules.xml

courier_rules.xml

web_rules.xml

web_appsec_rules.xml

apache_rules.xml

nginx_rules.xml

php_rules.xml

mysql_rules.xml

postgresql_rules.xml

ids_rules.xml

squid_rules.xml

firewall_rules.xml

cisco-ios_rules.xml

netscreenfw_rules.xml

sonicwall_rules.xml

postfix_rules.xml

sendmail_rules.xml

imapd_rules.xml

mailscanner_rules.xml

dovecot_rules.xml

ms-exchange_rules.xml

racoon_rules.xml

vpn_concentrator_rules.xml

spamd_rules.xml

msauth_rules.xml

mcafee_av_rules.xml

trend-osce_rules.xml

ms-se_rules.xml



zeus_rules.xml

solaris_bsm_rules.xml

vmware_rules.xml

ms_dhcp_rules.xml

asterisk_rules.xml

ossec_rules.xml

attack_rules.xml

openbsd_rules.xml

clam_av_rules.xml

dropbear_rules.xml

local_rules.xml

  



  

/var/ossec/etc/shared/rootkit_files.txt


/var/ossec/etc/shared/rootkit_trojans.txt

/var/ossec/etc/shared/system_audit_rcl.txt


/var/ossec/etc/shared/cis_debian_linux_rcl.txt


/var/ossec/etc/shared/cis_rhel_linux_rcl.txt


/var/ossec/etc/shared/cis_rhel5_linux_rcl.txt

  


  

xx.xx.xx.xx

^localhost.localdomain$

xx.xx.xx.xx

xx.xx.xx.xx

  


  

syslog

  


  

secure

  


  

1

10

  


  

host-deny

host-deny.sh

srcip

yes

  


  

firewall-drop

firewall-drop.sh

srcip

yes

  


  

disable-account

disable-account.sh

user

yes

  


  

restart-ossec

restart-ossec.sh



  




  

route-null

route-null.sh

srcip

yes

  


  


  

syslog

/var/log/messages

  


  

syslog

/var/log/secure

  


  

apache

/var/log/httpd/*log

  


  

syslog

/var/log/maillog

  


  

command

df -h

  


  

full_command

netstat -tan |grep LISTEN |grep -v xx.xx.xx.xx | sort

  


  

full_command

last -n 5

  







Regards

Prakash
--

---
You received this message because you are subscribed to the Google Groups
"ossec-list" group.
To unsubscribe from this group and stop receiving emails from it, send an
email to ossec-list+unsubscr...@googlegroups.com.
For more options, visit https://groups.google.com/d/optout.

-- 

--- 
You received this message because you are subscribed to the Google Groups 
"ossec-list" group.
To unsubscribe from this group and stop receiving emails from it, send an email 
to ossec-list+unsubscr...@googlegroups.com.
For more options, visit https://groups.google.com/d/optout.

[ossec-list] Disconnect issue

2017-06-06 Thread prakash ranjan 
Hi,

Please help.

I am getting following error:-

2017/06/06 11:20:29 ossec-remoted(1407): ERROR: Duplicated counter for 
'notify1-nightly.networkfleet.com'.

2017/06/06 11:20:35 ossec-remoted(1407): ERROR: Duplicated counter for 
'notify1-nightly.networkfleet.com’.


I have followed steps provided under heading "
Fixing Duplicate Errors 
” on page - 
https://ossec.github.io/docs/faq/unexpected.html.
But didn’t fixed issue.

*Details about environment:-*

*OS = OEL Linux 6.8*

*/var/ossec/bin/ossec-analysisd -V*

 

OSSEC HIDS v2.8 - Trend Micro Inc.


*cat /etc/ossec-init.conf*


DIRECTORY="/var/ossec/"

VERSION="v2.8"

DATE="Tue Jan 26 08:34:27 PST 2016"

TYPE=“server"


*cat /var/ossec/etc/ossec.conf* (Removed ip addresses)




  

yes



localhost



25 

  


  

xx.xx.xx.xx

  


  

rules_config.xml

pam_rules.xml

sshd_rules.xml

telnetd_rules.xml

syslog_rules.xml

arpwatch_rules.xml

symantec-av_rules.xml

symantec-ws_rules.xml

pix_rules.xml

named_rules.xml

smbd_rules.xml

vsftpd_rules.xml

pure-ftpd_rules.xml

proftpd_rules.xml

ms_ftpd_rules.xml

ftpd_rules.xml

hordeimp_rules.xml

roundcube_rules.xml

wordpress_rules.xml

cimserver_rules.xml

vpopmail_rules.xml

vmpop3d_rules.xml

courier_rules.xml

web_rules.xml

web_appsec_rules.xml

apache_rules.xml

nginx_rules.xml

php_rules.xml

mysql_rules.xml

postgresql_rules.xml

ids_rules.xml

squid_rules.xml

firewall_rules.xml

cisco-ios_rules.xml

netscreenfw_rules.xml

sonicwall_rules.xml

postfix_rules.xml

sendmail_rules.xml

imapd_rules.xml

mailscanner_rules.xml

dovecot_rules.xml

ms-exchange_rules.xml

racoon_rules.xml

vpn_concentrator_rules.xml

spamd_rules.xml

msauth_rules.xml

mcafee_av_rules.xml

trend-osce_rules.xml

ms-se_rules.xml



zeus_rules.xml

solaris_bsm_rules.xml

vmware_rules.xml

ms_dhcp_rules.xml

asterisk_rules.xml

ossec_rules.xml

attack_rules.xml

openbsd_rules.xml

clam_av_rules.xml

dropbear_rules.xml

local_rules.xml





  

/var/ossec/etc/shared/rootkit_files.txt


/var/ossec/etc/shared/rootkit_trojans.txt

/var/ossec/etc/shared/system_audit_rcl.txt


/var/ossec/etc/shared/cis_debian_linux_rcl.txt


/var/ossec/etc/shared/cis_rhel_linux_rcl.txt


/var/ossec/etc/shared/cis_rhel5_linux_rcl.txt

  


  

xx.xx.xx.xx

^localhost.localdomain$

xx.xx.xx.xx

xx.xx.xx.xx

  


  

syslog

  


  

secure

  


  

1

10

  


  

host-deny

host-deny.sh

srcip

yes




  

firewall-drop

firewall-drop.sh

srcip

yes




  

disable-account

disable-account.sh

user

yes




  

restart-ossec

restart-ossec.sh



  

  


  

route-null

route-null.sh

srcip

yes

  


  


  

syslog

/var/log/messages

  


  

syslog

/var/log/secure

  


  

apache

/var/log/httpd/*log

  


  

syslog

/var/log/maillog

  


  

command

df -h

  


  

full_command

netstat -tan |grep LISTEN |grep -v xx.xx.xx.xx | sort

  


  

full_command

last -n 5

  







Regards

Prakash

-- 

--- 
You received this message because you are subscribed to the Google Groups 
"ossec-list" group.
To unsubscribe from this group and stop receiving emails from it, send an email 
to ossec-list+unsubscr...@googlegroups.com.
For more options, visit https://groups.google.com/d/optout.

[ossec-list] Re: How to know when syscheck agent finishes a scan?

2017-06-06 Thread John Kondur 
Thanks but unfortunately all it shows is the following:


OSSEC HIDS agent_control. Agent information:
   Agent ID:   1027
   Agent Name: server1
   IP address: any/any
   Status: Active

   Operating system:Linux 4.4.
   Client version:  OSSEC HIDS v2.8.3 / 6322ee12ea9a05951f97923a8341a01a
   Last keep alive: Tue Jun  6 19:10:59 2017

   Syscheck last started  at: Tue Jun  6 18:19:23 2017
   Rootcheck last started at: Tue Jun  6 18:41:54 2017

 
It just shows last started, but never shows when it completes.


On Tuesday, June 6, 2017 at 4:42:52 AM UTC-4, Jesus Linares wrote:
>
> Hi John,
>
> I think it should appear in */var/ossec/bin/agent_control -i 1027. *Also, 
> you can review the ossec.conf of your agent.
>
> Regards.
>
> On Monday, June 5, 2017 at 6:24:14 PM UTC+2, John Kondur wrote:
>>
>> I just started to use ossec, and was doing some testing by making some 
>> changes in a file in a directory, and then I run from the server:
>>
>>
>> /var/ossec/bin/agent_control -r -a
>>
>>
>> if I do a query on the agent:
>>
>>
>>
>> /var/ossec/bin/agent_control -i 1027
>>
>>
>>
>> It will show last time it started but never shows when it completes?  Is 
>> there a process or way to check to see if it completed or am I not waiting 
>> long enough?  So far I am not seeing ossec pick up that the file changes.
>>
>> Thanks
>>
>

-- 

--- 
You received this message because you are subscribed to the Google Groups 
"ossec-list" group.
To unsubscribe from this group and stop receiving emails from it, send an email 
to ossec-list+unsubscr...@googlegroups.com.
For more options, visit https://groups.google.com/d/optout.

[ossec-list] Problem with dovecot decoder

2017-06-06 Thread nnonka 
Hi all,

have problem with dovecot decoder 

Example log:
Dec 19 17:20:08 ny dovecot: pop3-login: Aborted login (auth failed, 2 
attempts in 18 secs): user=, method=PLAIN, rip=1.2.3.4, lip=1.2.3.4, 
session=

Default dovecot decoder 


  dovecot
  ^\w\w\w\w-login: Aborted login
  : user=\p(\S+)\p, method=\S+, 
rip=:::(\d+.\d+.\d+.\d+), lip=:::(\d+.\d+.\d+.\d+)$
  user, srcip, dstip
 

Is it possible to create additional decoder that extracts same fields as in 
the above decoder if regex tag not matches but prematch was matched?


-- 

--- 
You received this message because you are subscribed to the Google Groups 
"ossec-list" group.
To unsubscribe from this group and stop receiving emails from it, send an email 
to ossec-list+unsubscr...@googlegroups.com.
For more options, visit https://groups.google.com/d/optout.

[ossec-list] Re: How to know when syscheck agent finishes a scan?

2017-06-06 Thread Jesus Linares 
Hi John,

I think it should appear in */var/ossec/bin/agent_control -i 1027. *Also, 
you can review the ossec.conf of your agent.

Regards.

On Monday, June 5, 2017 at 6:24:14 PM UTC+2, John Kondur wrote:
>
> I just started to use ossec, and was doing some testing by making some 
> changes in a file in a directory, and then I run from the server:
>
>
> /var/ossec/bin/agent_control -r -a
>
>
> if I do a query on the agent:
>
>
>
> /var/ossec/bin/agent_control -i 1027
>
>
>
> It will show last time it started but never shows when it completes?  Is 
> there a process or way to check to see if it completed or am I not waiting 
> long enough?  So far I am not seeing ossec pick up that the file changes.
>
> Thanks
>

-- 

--- 
You received this message because you are subscribed to the Google Groups 
"ossec-list" group.
To unsubscribe from this group and stop receiving emails from it, send an email 
to ossec-list+unsubscr...@googlegroups.com.
For more options, visit https://groups.google.com/d/optout.